Complete-SqlColumnMasterKeyRotation
Completes the rotation of a column master key.
Syntax
Complete-SqlColumnMasterKeyRotation
-SourceColumnMasterKeyName <String>
[-InputObject] <Database>
[-Script]
[-AccessToken <PSObject>]
[-TrustServerCertificate]
[-HostNameInCertificate <String>]
[-Encrypt <String>]
[-ProgressAction <ActionPreference>]
[<CommonParameters>]
Complete-SqlColumnMasterKeyRotation
-SourceColumnMasterKeyName <String>
[[-Path] <String>]
[-Script]
[-AccessToken <PSObject>]
[-TrustServerCertificate]
[-HostNameInCertificate <String>]
[-Encrypt <String>]
[-ProgressAction <ActionPreference>]
[<CommonParameters>]
Description
The Complete-SqlColumnMasterKeyRotation cmdlet completes the process of replacing an existing column master key with a new, target, column master key for the Always Encrypted feature.
The cmdlet gets all column encryption key objects containing encrypted key values that are encrypted with the specified source column master key.
The cmdlet then updates each column encryption key object to remove the entry for an encrypted value that was produced using the specified column master key.
As a result, each impacted column encryption key object will have only one encrypted value entry, produced using the column master key that is the target of the rotation.
Module requirements: version 21+ on PowerShell 5.1; version 22+ on PowerShell 7.x.
Examples
Example 1: Complete the process of rotating the column master key
PS C:\> Cleanup-SqlColumnMasterKey -SourceColumnMasterKeyName "CMK1"
This command completes the process of rotating the column master key named CMK1.
Parameters
-AccessToken
The access token used to authenticate to SQL Server, as an alternative to user/password or Windows Authentication.
This can be used, for example, to connect to SQL Azure DB
and SQL Azure Managed Instance
using a Service Principal
or a Managed Identity
.
The parameter to use can be either a string representing the token or a PSAccessToken
object as returned by running Get-AzAccessToken -ResourceUrl https://database.windows.net
.
This parameter is new in v22 of the module.
Type: | PSObject |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Encrypt
The encryption type to use when connecting to SQL Server.
This value maps to the Encrypt
property SqlConnectionEncryptOption
on the SqlConnection object of the Microsoft.Data.SqlClient driver.
In v22 of the module, the default is Optional
(for compatibility with v21). In v23+ of the module, the default value will be 'Mandatory', which may create a breaking change for existing scripts.
This parameter is new in v22 of the module.
Type: | String |
Accepted values: | Mandatory, Optional, Strict |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-HostNameInCertificate
The host name to be used in validating the SQL Server TLS/SSL certificate. You must pass this parameter if your SQL Server instance is enabled for Force Encryption and you want to connect to an instance using hostname/shortname. If this parameter is omitted then passing the Fully Qualified Domain Name (FQDN) to -ServerInstance is necessary to connect to a SQL Server instance enabled for Force Encryption.
This parameter is new in v22 of the module.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-InputObject
Specifies the SQL database object for which this cmdlet runs the operation.
Type: | Database |
Position: | 1 |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Path
Specifies the path to the SQL database, for which this cmdlet runs the operation. If you do not specify a value for the parameter, the cmdlet uses the current working location.
Type: | String |
Position: | 1 |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ProgressAction
Determines how PowerShell responds to progress updates generated by a script, cmdlet, or provider, such as the progress bars generated by the Write-Progress cmdlet. The Write-Progress cmdlet creates progress bars that show a command's status.
Type: | ActionPreference |
Aliases: | proga |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Script
Indicates that this cmdlet runs a script to complete the rotation of a column master key.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-SourceColumnMasterKeyName
Specifies the name of the source column master key.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-TrustServerCertificate
Indicates whether the channel will be encrypted while bypassing walking the certificate chain to validate trust.
In v22 of the module, the default is $true
(for compatibility with v21). In v23+ of the module, the default value will be '$false', which may create a breaking change for existing scripts.
This parameter is new in v22 of the module.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Inputs
Microsoft.SqlServer.Management.Smo.Database
Outputs
System.Object